PHP - LDAP Filter members of a group

Question

I have a PHP script which connects to active directory. I can retrieve the groups successfully, but I need help retrieving the users/members of these groups.

The filter below retrieves all the group names successfully. How can I edit my filter to retrieve all users within these groups.

$base_dn = "OU=My Folder, OU=Special Groups, DC=test, DC=co, DC=za";

$filter = "(&(objectClass=group))";

Answer 1

If you are querying Active Directory, you can request the TokenGroup attribute of the user or group to get the complete list of groups that the object is a member of. There are some limitation to using this method, the returned values are SIDs of the groups, you will need to call the LookupAccountSid function to get the group names. The TokenGroup attribute is a constructed attribute and it only returned if the search scope is BASE, a query with ONELEVEL or SUBTREE will not return the attribute.

Answer 2

It's not as simple as modifying the filter and getting them all at once. You will need to loop through the results of your query and then query the members of each group. There are two ways to do this (inside the loop):

1. Bind to the group object and look at the member attribute, which will give you the distinguished name of each member.
2. Perform a new query to find users where the memberOf attribute contains the group's distinguished name. The filter would look something like this:

(&(objectClass=user)(objectCategory=person)(memberOf={$groupDn}))

If you have more than one domain in your forest, or you have external trusted domains, then looking at memberOf may not find all the members. If you don't care about users on other domains, then you'll always be fine. But be aware. I have an explanation in an article I wrote: Active Directory: What makes a member a member?. Look under the "Beware of memberOf" subheading.